An Empirical Study of HTTP-based Financial Botnets

Cyber criminals are covertly attacking critical infrastructures, and botnets are a common component of those attacks. In recent years, botnets have been shifting their focus from broad-based attacks to more targeted ones such as attacking financial institutions, especially banks. The primary reason for this shift towards financial institutions is that, where the money is. We present an empirical study of the components, features and operations of some of the most widely deployed HTTP-based financial botnets (such as Zeus, SpyEye, ICE 1X, Citadel, Carberp, Tinba, Bugat and Shylock). Our study provides critical insights into the design of these botnets and should help the security community to generate intelligence and develop more robust security solutions to defend against cyber attacks by these botnets. In addition, our comparative analysis of insidious techniques pertaining to Command and Control (C&C) communication, system exploitation and data exfiltration also provides an effective and a holistic view of the capabilities of HTTP-based financial botnets. This study also highlights the evolution of various HTTP-based financial botnets over a period of time. Finally, we discuss security solutions that can help mitigate some of the techniques used by HTTP-based financial botnets.

[1]  Wouter Joosen,et al.  Monkey-in-the-browser: malware and vulnerabilities in augmented browsing script markets , 2014, AsiaCCS.

[2]  Sudip Saha,et al.  DNS for Massive-Scale Command and Control , 2013, IEEE Transactions on Dependable and Secure Computing.

[3]  Futai Zou,et al.  Detecting HTTP Botnet with Clustering Network Traffic , 2012, 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing.

[4]  Ville Leppänen,et al.  Browser extension-based man-in-the-browser attacks against Ajax applications with countermeasures , 2012, CompSysTech '12.

[5]  Cormac Herley,et al.  Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[6]  Fang Zhang,et al.  HTML5 based media player for real-time video surveillance , 2012, 2012 5th International Congress on Image and Signal Processing.

[7]  Kenton Born PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION , 2010 .

[8]  Parminder Singh,et al.  Design, deployment and use of HTTP-based botnet (HBB) testbed , 2014, 16th International Conference on Advanced Communication Technology.

[9]  A. Nur Zincir-Heywood,et al.  Botnet Behaviour Analysis Using IP Flows: With HTTP Filters Using Classifiers , 2014, 2014 28th International Conference on Advanced Information Networking and Applications Workshops.

[10]  Christopher Kruegel Lastline Full System Emulation: Achieving Successful Automated Dynamic Analysis of Evasive Malware , 2014 .

[11]  Chengyu Song,et al.  Flowers for Automated Malware Analysis , 2012 .

[12]  Philipp Brune,et al.  No security by obscurity - why two factor authentication should be based on an open design , 2011, Proceedings of the International Conference on Security and Cryptography.

[13]  Christopher Krügel,et al.  Analysis of a Botnet Takeover , 2011, IEEE Security & Privacy.

[14]  Jetzabel M. Serna,et al.  Benchmarking IP blacklists for financial botnet detection , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[15]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[16]  Yi-Chun Yeh,et al.  BrowserGuard: A Behavior-Based Solution to Drive-by-Download Attacks , 2011, IEEE Journal on Selected Areas in Communications.

[17]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[18]  Roberto Di Pietro,et al.  Taming Zeus by leveraging its own crypto internals , 2011, 2011 eCrime Researchers Summit.

[19]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[20]  Calton Pu,et al.  Evolutionary study of phishing , 2008, 2008 eCrime Researchers Summit.

[21]  Christopher Krügel,et al.  Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks , 2009, DIMVA.

[22]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[23]  Wu Peng,et al.  A Way to Detect Computer Trojan Based on DLL Preemptive Injection , 2011, 2011 10th International Symposium on Distributed Computing and Applications to Business, Engineering and Science.